[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS ce
|
From: |
Mark H Weaver |
|
Subject: |
bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS certificates |
|
Date: |
Fri, 19 Mar 2021 19:13:36 -0400 |
Ludovic Courtès <ludo@gnu.org> writes:
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> We should patch GnuTLS so that it also honors the SSL_* environment
>> variables documented in the Guix manual.
>
> Note that (1) the SSL_* variables are originally from OpenSSL, and (2)
> GnuTLS developers made the conscious decision to not honor any
> environment variable, leaving it up to application developers to do
> that.
>
> That’s the reason we are in this situation. See the thread at
> <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html>.
That thread is worth reading, but for those who are short on time, I
want to call attention to a specific point I made:
However, GnuTLS does not support an environment variable setting, so we
would have to patch the code (add_system_trust in lib/system.c). I
strongly considered doing this, but I'm worried about the possible
security implications. For example, consider a setuid program that uses
GnuTLS and assumes that the person who ran the program will not be
capable of changing the trust store that GnuTLS uses. This assumption
would be correct for the upstream GnuTLS, but not for ours.
<https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>
Thanks,
Mark